Managing risk
Learn about the Victorian Government risk management framework, the risk management process during all stages of the project lifecycle and best practices for managing unique project risks.
Understanding risk management
Building works and construction are risk-prone activities: risks being defined as being the chance of something happening that will have an impact on objectives. Risks may prevent a project from finishing on time, within budget and/or to the required standard, which may ultimately impact the realisation of its benefits. It is important to identify, assess, respond and monitor risks that could affect the project.
The status of issues should be reported to the OTCD at regular intervals; the frequency of which will be based on the project’s size and complexity.
The TAFE’s risk management framework should also be considered when identifying and managing project risks.
Open all
- What is a risk and what is risk management?
A risk can be defined as an event or circumstance that has not yet happened but has the potential to impact the project (for example, the risk of cost overruns as a result of the increased price of raw materials). Types of risk vary from project to project.
Risk management is a process in which you identify, assess and put in place actions to reduce risks to an acceptable level. Appropriate risk management will help achieve a project’s objectives.
- Risk and cost estimation across the project lifecycle
Project definition, funding and approvals
When defining the project and applying for funding and approvals, you will need to estimate an appropriate level of budget to assist in managing budget risk for the project, including risks that are likely to arise over the delivery phase.
You should establish a risk register at this stage, which can be updated and reviewed at regular intervals to ensure the risk register is accurate and relevant.
You will need to consider how potential risks may impact the project budget (it may be useful to hold workshops with key project stakeholders to develop the project risk register), and quantify these risks to estimate the required contingency funding allocation.
For medium complexity and HVHR projects, you may wish to carry out a risk quantification workshop in addition to the project risk identification workshop. Inputs gathered as part of this risk quantification workshop may feed into complex financial modelling where the cost impact of the risk is assessed against the likelihood and probability of the risk occurring. This will allow you to calculate the level of contingency (which is sometimes referred to as the risk adjustment) that should be included in the funding proposal.
In particular, for some medium complexity and HVHR projects, you may need to consider developing a risk-adjusted reference project which represents the most efficient means of delivering the project.
Procurement
When undertaking procurement, you may need to consider developing a risk-adjusted project cost. This will set a benchmark cost to compare and evaluate value-for-money responses from tenderers.
Delivery
If risks eventuate during construction, you may need to draw on the contingency budget. Depending on the project’s governance structure, this may require approvals from the project steering committee before the funds can be accessed.
- The Victorian Government Risk Management Framework (VGRMF)
The Victorian Government Risk Management Framework (VGRMF) describes the minimum and mandatory risk management requirements TAFEs are required to meet, to demonstrate that they are managing risk effectively.
Under Financial Management Act Standing Direction 3.7.1 (risk management framework and processes), the VGRMF applies to TAFEs which are covered by the Financial Management Act 1994.
The Victorian Managed Insurance Authority (VMIA) plays an important role in supporting TAFEs in the implementation of the VGRMF, by providing risk guidelines, training and support, risk maturity assessments and learning and development strategies.
- Mandatory requirements set out in the VGRMF
Mandatory risk management requirements, as set out in the Victorian Government Risk Management Framework, ensure:
- the TAFE has a risk management framework in place consistent with AS/NZS ISO 31000:2009 Risk Management – Principles and Guidelines
- the risk management framework
- is reviewed annually so that it remains current and is enhanced, as required, and
- supports the development of positive risk culture within the TAFE
- risk management processes are effective in managing risks to a satisfactory level
- it is clear who is responsible for managing each risk
- the TAFE contributes to the identification and management of state-significant risks, as appropriate
- risk management is incorporated in corporate and business planning processes, and
- the TAFE’s risk profile has been reviewed within the past 12 months. Insurances are a key part of appropriate risk management practices. There is a range of mandatory insurance requirements that TAFEs must address as detailed in the Victorian Government Risk Management Framework.
Appropriate project-specific insurances will also need to be held by all specialised consultants.
- The risk management process
The key elements of the risk management framework, outlined in the Victorian Government Risk Management Framework, are as follows:
- Mandate and commitment: Requires a strong and sustained commitment by TAFE management to ensure ongoing effectiveness of risk management. This commitment should support the development of a positive risk culture.
- Design of framework for managing risk: Requires a systematic approach in designing a risk management framework that is relevant, effective, efficient and adequate. The framework should include:
- appropriate risk management strategies
- a risk management policy and plan
- effective governance, communication and reporting arrangements
- resource requirements, and
- risk management accountabilities.
- Implementing risk management: A risk management process is applied through a risk management plan at all relevant TAFE levels and functions, as part of its practices and processes. Investment in resources and capabilities should enable a TAFE to effectively and efficiently apply its risk management activities.
- Monitoring and review of the framework: TAFEs should continually ensure that risk management is effective and supports organisational performance. Under the mandatory requirements, the risk management framework is to be reviewed annually and enhanced as required.
- Continual improvement of the framework: Based on the results of monitoring, reviews, and any independent assurance of risk management controls and practices, decisions can be made on how the risk management framework, policy and plan can be improved.
- Reporting and attestation requirements on project risks
Project reporting
Regular project reporting is an important way to inform key stakeholders of the project’s progress against risks. Reporting on project risks should include tracking against the identified risks and any changes to the likelihood or consequence of the risk eventuating. Project reporting should also identify new risks and whether the risk treatment or tolerance needs to be refined or escalated through the project’s governance structure.
During the delivery phase, the risks identified by the TAFE, the contractor and specialised consultants should be consolidated and regularly reported to the OTCD. Typically, the project manager should include the following information for each risk:
- risk title/status
- risk rating
- description of the risk, and
- proposed treatment of the risk. For reporting purposes (including regular status reporting and annual reporting), it is also important to maintain the project risk register. The project risk register is a document that identifies, analyses and evaluates project risks and presents treatment options to manage the risk.
The risk register should be shared between project stakeholders. This allows those involved in the project to understand their responsibilities and the required mitigation actions for the risks identified.
Risk register templates may be found via the Victorian Managed Insurance Authority (VMIA). As project risks and issues can be entered into the risk register by the contractor and specialised consultants, the project manager (or equivalent) should ensure that the risk register is consolidated and maintained through the whole project delivery and the defects liability period.
Organisational reporting
Under Ministerial Standing Direction 5.1.4 (financial management compliance attestation), TAFEs must provide an annual attestation of compliance with applicable requirements of the Financial Management Act 1994, the Standing Directions (incorporating the VGRMF framework) and the Instructions, and disclose all material compliance deficiencies.
Further information on annual reporting is available.
I need to:
- Manage quality
- Manage project scope and change
- Manage project costs
- Manage the program of works
- Learn about project reporting
Updated 31 December 2025
Related links
- Victorian Government Risk Management Framework
- DTF investment lifecycle stage 1 business case
- Risk advice and support from the Victorian Managed Insurance Authority
About the VIC Government
- The Premier and ministers
- Find a Vic Gov department, agency or service
- Strategies and policies
- Inquiries and royal commissions
Grants and programs
Jobs and careers
Arts, culture and heritage
Business and the workplace
- Mentally Healthy Workplaces Framework
- Portable Long Service Authority
- Victoria’s racing industry
- Workforce Inspectorate Victoria
- Liquor licensing, sale and supply
Communities
- Children
- First Peoples - State Relations
- Finding records
- Gender equality & women’s leadership
- LGBTIQA+ equality
- Multicultural communities
- Seniors Online
- Veterans support and commemoration
- Volunteering in Victoria
- Youth Central
Education and training
- Victorian Early Childhood Regulatory Authority
- Early childhood education – information for professionals
- Kinder: Best Start, Best Life
- Education – information for parents
- Schools.Vic - information for schools
- Education grants, programs, awards and events
- PROTECT
- TAFE, training and universities sector
- TAFE Victoria
- Victorian Skills Authority
- Apprenticeships Victoria
- Learn Local
Environment, water and energy
Finance and economy
Health and social support
- Family violence reform
- NDIS Worker Screening Check
- NDIS and disability services and support in Victoria
- Patient Review Panel
- Transforming Trauma Victoria
Housing and property
Law and justice
- Adoption
- Births, deaths and marriages
- Honorary justices
- Machete ban
- Safeguarding Victorians against terrorism
- Stolen Generations Reparations Package
- Victims of Crime
- Victorian Racing Tribunal
Safety and emergencies
- Emergency Recovery Victoria
- Victorian Emergency Relief and Recovery Foundation
- Emergency Recovery Resource Portal
- How well do you know fire
- Fire Services Reform
- Water safety
- Marine Search and Rescue
Science and technology
- Data sharing and open data
- Data.vic - discover and access Vic Gov open data
- Developer.Vic - portal for API developers
- Go.vic URL shortener
- Vic Gov IT project dashboard
- Victoria’s free public wi-fi network
- Cyber security in the Victorian Government
Sport and recreation
Traffic and transport
- Cameras Save Lives
- Transport Fines
- Getting Around
- Transport Planning
- Transport Future
- Climate Change and transport
- Future Directions For Transport
- Transport projects
- Ports and Freight
Working in the Victorian Government
- Single Digital Presence home
- Accommodation and Library Services
- Executive employment in the Victorian public sector
- Budget, procurement and funding
- Careers in the Victorian Government
- Council and Regulator Toolkit
- Guidelines for working in government
- Join a government network
- Standards and guidelines
- VicFleet CarPool
- Victorian Government style guide